iPhone的Web服务调用WCF Service与证书认证 [英] iPhone web service calls to WCF Service with Certificate Authentication

问题描述

我们是一个.net店已在WCF服务标准化。我们正在开发，需要进行安全Web服务调用来获取数据的应用程序的iPhone应用程序的PROCESSS。为了确保安全communiations我们已经启用了SSL我们的Web服务器上。但是，这并不能确保该服务只能由授权的应用程序消耗。我们已经配置了服务，以支持X509证书认证。它甚至有可能从一个IPhone应用程序调用与认证文件认证的安全WCF服务？

我花了很多时间搜索互联网的例子，但无济于事。我已经能够successfuly调用一个非安全的WCF服务没有问题。我也做了很多的研究的WS-Security和WS-Trust通信标准。我相信我的理解这应该是如何工作的。我只是有麻烦的步骤拼凑/我需要做这项工作的iPhone框架内的对象。

关于这个问题的任何想法和意见将大大AP preciated。

另外，在以下任一有什么想法：

1. 如何最好地部署与iPhone应用程序中的P12认证文件文件


2. 如何最好地在应用中取得了P12文件的密码


3. 与应用程序部署P12文件最佳实践


4. 是iPhone的框架内还有配套设施，以支持这种安全通信的？如果不是，那会是一种选择的建议。

解决方案

对于初学者来说，我会说，如果你是对安全性，请奉献适当的时间和资源，并把它像一个一流的公民，认认真真的你功能列表。不要只是打开SSL和pretend东西都是安全的。我不建议你这样做或不这样做，但我只是觉得我有继续之前说了吧。

这是说，你可能已经知道，WS- *的一切都建立在HTTP请求前，任何你正在做的http请求的负载时，你可能会发现的 ASIHTT prequest 对iPhone非常有帮助。不过，这不会让你的存在方式100％。

从iPhone的角度来看，你有：

1. 的<一个href=\"http://developer.apple.com/iphone/library/documentation/Cocoa/Conceptual/URLLoadingSystem/URLLoadingSystem.html#//apple_ref/doc/uid/10000165i\"相对=nofollow>网址加载系统，这是一个高层次的API来处理任何类型的网络资源


2. 的<一个href=\"http://developer.apple.com/iphone/library/documentation/Networking/Conceptual/CFNetwork/Introduction/Introduction.html#//apple_ref/doc/uid/TP30001132\"相对=nofollow> CFNetwork的 C API是低级别的，并允许您加密数据流和网络流量的更大量的控制，你看不到任何方式合适


3. 的<一个href=\"http://developer.apple.com/iphone/library/documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/doc/uid/TP30000157\"相对=nofollow>证书，密钥和信托服务是做繁重，更具体<一个href=\"http://developer.apple.com/iphone/library/documentation/Security/Reference/certifkeytrustservices/certKeyTrustPolicies/certKeyTrustPolicies.html#//apple_ref/doc/uid/TP30000157-CH204-CIHIJIII\"相对=nofollow>的X509信任策略

在Mac上你能使用安全传输，但据我所知，他们还没有移植的器件，所以我不会太分心了阅读上，除非你是在使这一到桌面或规划只是心情去学习一切：）

如果你正在做的与WCF，你可能已经意识到的第一件事，任何安全是有的提供给您多种选择的，但是这一切都归结为这个短名单：

1. 传输层安全（HTTPS）与清晰的文字信息（XML / JSON /...)


2. 消息层安全（加密的消息正文）在一个开放的传输（HTTP）


3. 在一个安全的运输安全邮件

上一次（前约1年）我在做WCF微软一般建议似乎是消息层安全性较其努力确保运输时介绍了防火墙/可访问性问题的开放交通。然而，这种方法假定所有有关各方都.NET / WCF能力。我相信它会更容易消耗的设备，如果它是一个HTTPS传输层安全性，有明确的XML或JSON消息体。这样，你可以把烤成苹果已经做CFNetwork会和NSHTT prequest所有的东西优势。

一旦你得到的东西的工作，你要引用<一个href=\"https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html\"相对=nofollow>企业部署指南，特别是对文档的过度的空中注册，这样就可以安装在设备上的证书。请记住，一切皆有可能，不要害怕使用这些苹果支持票来与程序的一个：）

编辑：

我完全忘了提 GenericKeychain 和 CryptoExcercise 例子

编辑2：

我得到downvoted没有明显的原因，我在重新阅读我的回应，并意识到我天马行空有点太不实际回答您有关如何打开设备上的P12文件的问题。你应该能够简单地 [UIApplication的sharedApplication]的OpenURL：urlToP12FileEitherLocalOrRemote]] 键，把它揪出来的操作系统的安装程序

We are a .Net shop that has standardized on WCF Services. We are in the processs of developing an iPhone application that needs to make secure web services calls to obtain data for the app. To ensure secure communiations we have enabled SSL on our web servers. But this does not ensure the service can only be consumed by authorized apps. We have configured our services to support x509 certificate authentication. Is it even possible to call a secure WCF service with certifcate authentication from an IPhone app?

I have spent many hours searching the internet for examples but to no avail. I HAVE been able to successfuly call an un-secure WCF service with no issues. I have also done a lot of research on the WS-Security and WS-Trust communications standards. I believe I understand how this should work. I am just having trouble piecing together the steps/objects within the iPhone frameworks I need to make this work.

Any thoughts and ideas on the subject would be greatly appreciated.

Also, any thoughts on any of the following:

1. How best to deploy the P12 certifcate file with the iPhone application
2. How best to secure the password for the P12 file within the app
3. Is deploying the P12 file with the app a best practice
4. Are there facilties within the iPhone frameworks to support this kind of secure communication? If not, what would be an alternative recommendation.

解决方案

For starters, I'd say if you are really serious about security please dedicate the proper time and resources to it and treat it like a first class citizen in your feature list. Don't just "turn on SSL" and pretend things are secure. I'm not suggesting you are doing this or not doing this, but I just feel like I have to say it before proceeding.

That said, you probably already know that WS-* is all built on top of http requests, and any time you are doing loads of http requests, you'll probably find ASIHTTPRequest very helpful on the iPhone. However, that will not get you 100% of the way there.

From the iPhone's perspective you have:

1. The URL loading system, which is a high level API for dealing with network resources of any kind
2. The CFNetwork C API which is lower-level and allows you a great deal more control of encrypting streams and network traffic any way you see fit
3. The Certificate, Key, and Trust Services that do the heavy lifting, and more specifically the X509 trust policies

On Macs you get to use Secure Transport, but as far as I know they haven't ported that to the device so I wouldn't get too distracted reading up on that unless you are planning on bringing this to the desktop or are just in the mood to learn everything :)

If you are doing any security with WCF, the first thing you probably realized is that there are many options available to you, but it all boils down to this short list:

1. Transport layer security (https) with clear text messages (xml/json/...)
2. Message layer security (encrypted message body) over an open transport (http)
3. Secured messages over a secured transport

The last time I was doing WCF (about a year ago) the general recommendation from Microsoft seemed to be Message layer security over an open transport because of firewall / accessibility issues introduced when trying to secure the transport. However, this approach assumed that all parties involved were .NET / WCF capable. I believe it would be easier to consume on the device if it were an HTTPS transport level security, with clear XML or JSON message bodies. That way you can take advantage of all the stuff baked into CFNetwork and NSHTTPRequest that Apple has done.

Once you get something working, you'll want to refer to the Enterprise Deployment Guide, and specifically the documentation on Over-the-Air Enrollment so that you can install the certificates on the devices. Remember, anything is possible, and don't be afraid to use one of those Apple support tickets that come with the program :)

EDIT:

I completely forgot to mention the GenericKeychain and CryptoExcercise examples

EDIT 2:

After I got downvoted for no apparent reason I re-read my response and realized I rambled a bit too much without actually answering your question about how to open a p12 file on the device. You ought to be able to simply [[UIApplication sharedApplication] openURL:urlToP12FileEitherLocalOrRemote]] and have it kick out to the OS for the installation procedure.

这篇关于iPhone的Web服务调用WCF Service与证书认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！